The following flaw was found in Asterisk: The overlap dialing feature in chan_sip allows chan_sip to report to a device that the number that has been dialed is incomplete and more digits are required. If this functionality is used with a device that has performed username/password authentication RTP resources are leaked. This occurs because the code fails to release the old RTP resources before allocating new ones in this scenario. If all resources are used then RTP port exhaustion will occur and no RTP sessions are able to be set up. Upstream bug: https://issues.asterisk.org/jira/browse/ASTERISK-26272 External References: http://downloads.asterisk.org/pub/security/AST-2016-007.html
Created asterisk tracking bugs for this issue: Affects: fedora-all [bug 1374734] Affects: epel-6 [bug 1374735]
References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838832
UPDATE (20 October, 2016): It has been brought to our attention by Walter Doekes that this same leak can be exploited without the use of the overlap dialing feature. Sending SIP requests in a specific sequence outside the norm could also cause the leak of RTP resources. By sending an in-dialog INVITE after receiving a 404 response (but before sending an ACK), an attacker could cause the same leak to occur.
I'm working with the Digium developers to get systemd support added to dahdi-tools, so that we can unretire dahdi-tools, which is a dependency of Asterisk. That will allow me to update the Asterisk packages in Fedora/EPEL to the latest version which will close this vulnerability.
ARRAY(0x558ebd7dae40)